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Abstract. We investigate a number of issues related to the use of multi- 
ple trust authorities in the type of identifier based cryptography enabled 
by the Weil and Tate pairings. An example of such a system is the Boneh 
and Franklin encryption scheme. We examine how to create an efficient 
hierarchy of multiple trust authorities and then go on to examine some 
application areas of peuring based cryptography. 

1 Introduction 

In 1984 Shamir [10] introduced the concept of identity based cryptography and 
proposed a signature scheme based on the RSA assumption. Over the years a 
number of researchers tried to propose secure and efficient identity based en- 
cryption algorithms, but with little success. This state of affairs changed in 2001 
when two identity based encryption algorithms were proposed, one by Cocks 
[4] based on the quadratic residuosity assumption and another by Boneh and 
Franklin [1] based on the Weil pairing, although using a variant based on the 
Tate pairing is more efficient. A number of identity based signature algorithms 
based on the Tate pairing also exist, e.g. [3], [7] and [9]. 

The creation of these identity based schemes made it possible to approach 
the problem of creating a public-key infrastructure from a new angle. To this 
end Horwitz and Lynn [8] describe a way of coping with a hierarchy of trust 
authorities using only identity-based encryption. However, this advantage of only 
being based on identifiers comes with a disadvantage that the proposed system 
only works with two levels of keys and that a certain amount of collusion leads 
to the whole system being broken. This paper addresses the same issues as [8] 
and provides a more scalable solution. 



The paper is structured as follows, in the next section we set up notation 
and recap on a number of pairing based schemes. In section 3 we describe how 
a hybrid of traditional PKI and IBE may be created that could overcome some 
of the current scalability issues with traditional PKIs. We show how the short 
signature of Boneh, Lynn and Shacham [2] lends itself naturally to use in the 
certificates of a hybrid traditional-PKI/IBE system. In section 4 we describe 
a scalable hierarchy of trust authorities using a combination of IBE and short 
signatures. In section 5 we look at some applications that would require a scalable 
and efficient hierarchy of trust authorities. Section 6 draws some conclusions from 
this paper. 

2 Notation and Pairing Based Schemes 

2.1 The Tate Pairing 

Let Gi and G2 denote two groups of prime order q in which the discrete logarithm 
problem is believed to be hard and for which there exists a computable bilinear 
map 

t '.GixGi — > G2. 

We shall write Gi with an additive notation and G2 with a multiplicative nota- 
tion, since in real life Gi will be the group of points on an elliptic curve and G2 
will denote a subgroup of the multiplicative group of a finite field. 

Since the mapping is bilinear, we can move exponents/multipliers around at 
will. For example if a, 6, c G and P, Q € Gi then we have 

t{aP, bQY = t{aP, cQf = t{bP, cQY = t{bP, aQY = t{cP, aQf = t{cP, bQ^ 
= t{abP, QY = t{abP, cQ) = t{P, abQY = t(cP, abQ) 

= t(abcP, Q) = t(P, abcQ) = t(P, QY^ 

These tricks will be used repeatedly throughout this document. 
We define the following cryptographic hash functions 

Hi :{0, ly —.Gu 
^2:{0.ir — >F,, 
i^3:C?2^{0,ir. 

2.2 Types of Public/Private Key Pairs 

We require the following two types of keys: 

— A standard public/private key pair is a pair (i?, s) where R E Gi and 5 6 Fg 
with 

R = sP 

for some given fixed point P E Gi. 



— An identifier based key pair is a pair (QiDj^jd) where QiDj-^ID ^ 

there is some trust authority (TA) with a standard public/private key pair 
given by {RjXtS)y such that the key pair of the trust authority and the key 
pair of the identifier are Hnked via 

^ID = and QiD = i/i(lD), 

where ID is the identifier string. 

2.3 Cryptographic Primitives 

We recap on the following three cryptographic primitives. 

Short Signatures This scheme, due to Boneh, Lynn and Shacham [2], allows 
the holder of the private part 5 of a standard public/private key pair to sign a 
bit string. Let m denote the message to be signed 

— Signing : 
Compute V = sHi{7n). 

— Verification : 

Check whether the following equation holds 

tiP,V) = t{R,Hi(m)) 

Since this is the first time we have used the pairing it is worth demonstrating 
why the equation should hold for a valid signature. 

t(P, V) = t(P, sHi (m)) Since V = sHi (m) , 

= t{P, Hi{m)y By linearity in the second coordinate, 

= t{sP, Hi{7n)) By linearity in the first coordinate, 

= t{Ry Hi (m)) Since R = sP. 

Identifier Based Encryption This scheme, due to Boneh and Franklin [1], 
allows the holder of the private part Sij) of an identifier based key pair to 
decrypt a message sent to her under the public part Qid- ^® present only the 
simple scheme which is only ID- OWE, for an ID- CCA scheme one applies the 
Fujisaki-Okamoto transformation [6]. Let m denote the message to be encrypted 
then: 

— Encryption : 

Compute U = rP where r is a random element of Fg. Then compute 
V = meHs{tiRjp„rQiu)) 



Output the ciphertext (C/, V) . 



— Decryption : 

Decryption is performed by computing 



= v©/f3(t(p,QiDr) 

= V©if3(t(5P,rQiD)) 
= m. 

Identifier Based Signatures There are a number of such schemes based on 
the Tate pairing, we present the one due to Hess [7], which is not only efficient 
but has a security proof relative to the computational Diffie-Hellmaoi problem 
in Gi. Let m denote the message to be signed then: 

- Signing : 

Compute r = t{P,P)^ where A; is a random element of F^. Apply the hash 
function H2 to m\\r to obtain h = H2(m\\r). Compute 

U = /i5iD + kP, 

Output (C/, h) as the signature on the message m. 

— Verification : 
Compute 

r = t{U,P)t{Qjj^,^Rjf,)\ 
Accept the signature if and only if /^ = H2{m\\r). 

3 A Hybrid PKI/IBE 

3.1 Combining a traditional PKI with IBE 

In [8] a way of coping with a hierarchy of trust authorities is presented. The 
approach is for trust authorities to produce keys for trust authorities further 
down the hierarchy. There is only one standard public/private key pair in the 
whole system, which belongs to the root trust authority. All other keys are 
identifier based key pairs and as such the hierarchy produced can be considered 
as a pure identifier based infrastructure. 

However, this advantage of only being based on identifiers comes with a 
disadvantage that the proposed system only works with two levels of keys and 
that a certain amount of collusion leads to the whole system being broken. Thus 
this type of hierarchical approach as a means to replacing traditional, X509 like, 
PKI systems seems to suffer from worse scalability issues than X509. 

As a solution we propose a hybrid system which merges traditional PKI 
solutions with identifier based solutions. We assume a multitude of standard 
public/private key pairs held by trust authorities, with user keys being identity 
based. A number of points need to be made 



— This model of multiple trust authorities is more likely to resemble the "real 
world" where no global hierarchy is in place. 

— We do not assume that trust authorities are embodied in reputable organ- 
isations, for example some applications may want trust authorities to be 
embedded into ones PDA. However, we do not exclude global trust authori- 
ties such as Verisign or Microsoft in our model. 

Hence, multiple trust authorities can exist but we assume encryption and signa- 
tures are made using identifier based keys. With multiple trust authorities one 
of course needs some way of authenticating, or cross certifying, the authorities 
as in a traditional form of PKI solution. 

So has this hybrid PKI/IBE based solution bought us anything? It appears 
to have created a level of complication, but our belief is that this makes the 
system more scalable. A common problem with traditional PKI is that whilst it 
is very good at authenticating domain names, as in the use of SSL, it is rather 
poor in authenticating large numbers of individual users. On the other hand, 
identifier based systems are very good at identifying individual users, but poor 
when it comes to multiple trust domains (as the paper [8] demonstrates). 

We use two analogies for the state of affairs we envisage: 

— The first is from the world of telecommunications. In this world there are two 
systems (often run by two separate companies). There is the local loop which 
is the copper wires (or fibre optic cables) from your home to the exchange 
and then there is the global long distance telephone system. One should 
think of the local loop being identifier based and the long distance network 
being PKI based. 

— The email system has a similar discontinuity between what are essentially 
local and global names. Take the email address 

AliceQpeople . iacr . org 

The people , iacr.org part is a global name which can be authenticated 
efficiently using standard certificate chains. The problems arise when one 
tries to push down the PKI solution to the next level. The Alice part is 
therefore more easily dealt with using identifier based systems. 

3.2 Certificates using Short Signatures 

We examine this hierarchy of TA's in more detail using the above email address 
as an example. We let the three TA's each with their own standard public/private 
key pairs. 



Entity 


Private Key 


Public Key 


org 


Sl 


^org = SiP 


iacr 




-^iacr ~ 


people 


S3 


^people = 



The entity Alice is issued an identifier based key pair from the trust authority 
people, namely 

^^Alice = ^aQAlice and ©Alice = (Alice). 

Now suppose someone, Bob, wishes to send the entity denoted by 

AliceQpeople . iacr . org 

an email or someone wishes to verify that entity's signature. Bob first needs to 
obtain a trusted copy of the public key of the people trust authority. 

Supposing Bob already trusts the public key of the trust authority org. They 
could simply verify a certificate chain down to the public key of people using 
standard certificate formats, but since each trust authority has the correct type 
of standard public/private key pair we can use the short signature scheme of 
Boneh, Lynn and Shacham. 

The certificate of the trust authority iacr, as produced by the trust authority 
org would then look like 

(Subject, Issuer, Key, Signature) = (iacr, org, iiiacr» ^) 

where 

V = siiyi(i?iacrl|iacr). 

Note that we can use the same code to perform certificate checking ajid verifi- 
cation as one would use to produce identifier based encryption and signatures. 
This will be an advantage on small devices which may only allow small code 
footprints. 

4 Hierarchies of Linked Trust Authorities 

In the previous section we assumed that the various trust authorities were not 
linked via their identities but simply had traditional public/private key pairs. In 
this section we examine what happens when the trust authorities are linked in 
an identifier based hierarchy. 
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'5'Alice = -^aQAlice 


^Alice = ^1 (Alice) 



We now have the chance to authenticate public keys in another way. If a user 
trusts the standard public key of any TA in the hierarchy (either org, iacr or 
people), this TA will become the root of trust to the user; and then this TA's 



corresponding standard private key will become the master key to the user. In 
this section, we consider an example where a user trusts the standard public key 
of iacr, i.e. 52 P. Based on this trust he wishes to authenticate the identifier 
based public key of Alice, which has been issued by the trust authority people. 
We shall see that both iacr and people are able to offer this authentication 
service. 

4.1 Transferring Ttust at the upper level 

One obvious way of doing this is for iacr to sign people's standard public key, 
using the short signature scheme, as above. Since iacr's standard public key 
is trusted, the verifier will then trust people's stemdard public key and so will 
trust Alice's identifier based public key. 

We can represent this transfer of trust from iacr to people via 

iacr — > people, 

since the certification is performed by iacr. 

4.2 Transferring Trust at the lower level 

There is another obvious solution, which is for people to sign its own standard 
public key using an identifier based signature scheme, with the identifier based 
private key supplied to people by iacr. Since iacr's standard public key is 
trusted, the verifier trusts people's identifier based public key and will then 
trust the signature on people's standard public key. Just as before the verifier 
will then trust Alice's identifier based public key. 

We represent this transfer of trust from iacr to people via 

iacr < — people, 

since now the certification is performed by the trust authority people. 

4.3 Balanced Trust Transferal 

However, there is another more natural way which can be deployed by either 
iacr or people a,nd which to the user is transparent as to who actually produced 
the authentication of people's public key. A situation which we can represent 
diagrammatically via 

iacr •« > people. 

The system we provide below provides implicit authentication of the key i^people? 
in that explicit authentication is only obtained once the key people been 
seen 'in action', in other words it is used to verify a signature. 

The verifier is assumed to know and trust the standard public key i^iacr- 
They wish to obtain implicit trust that people's standard public key -Rpeople 
is linked to the entity which iacr is claiming to be people. Once this linkage is 
established the verifier can then use Alice's pubfic key. 

One of the following stages is then executed: 



— If the authenticating party is people, then people generates a random vedue 
of r E Fg and publishes 

Ci = 7-5people = ^^2Qpeople' 
C2 = ^Qpeoplei 
C3 = r/lpeopie- 

— If the authenticating party is iacr, then iacr generates a random value of 
r G Fg and publishes 

Ci = r52Qpeoplej 
C2 = ^Qpeople) 
C3 = r-i^people- 

The verifier can then check that the linkage is as claimed by checking the 
following two equations hold 

*(^2 1 -people) ~ ^('"QpGoplej ^people) 
= *(Qpeople» '"'people) 
= ^(Qpeople'^s), 
t(P,Ci) = t(P,rs2Qpeople) 
= t(52^,rQpeople) 
= t(-Riacr» ^2)- 

These two equations demonstrate that the discrete logarithms are related as they 
should be. 

5 Applications of Pairing Based Systems 

We now examine some novel applications of the pairing based cryptosystems 
given at the beginning of this paper. All of the following applications assume 
that the trust authorities are in fact trusted by all users, and hence all require 
some form of certification like those proposed in the prior sections. 

5.1 Delegation of Rights 

Up to now when we have used identifiers they have really been identities. Tradi- 
tional PKI sometimes makes a distinction between an identity certificate (rep>- 
resented by a 4-Tuple in SPKI for example [5]) and an authorisation certificate 
(represented by a 5-Tuple in SPKI). Since strings correspond to keys in an iden- 
tifier based system, we can replace identity strings in our discussion above with 
authorisation strings. 



For example given a SPKI s-expression which describes some access rights, 
we can write down immediately the corresponding identifier public key corre- 
sponding to this s-expression. There is no need to bind the s-expression to the 
key, since the s-expression is the key. 

We now describe how delegation of authorisations can be handled. Suppose 
we have some trust authority (say Alice) who has control of some resource. 
Suppose Alice has a standard public/private key pair given by 

^AlicG = sP- 

Assume that Bob has a public key given by MBob» ^^^^ could either be a standard 
public key or an identifier based one. 

Alice wishes to pass authorisation to use this resource to Bob. In SPKI this 
is represented by the 5- tuple 

(Issuer, Subject, Delegate, Authorization, Validity), 

where the standard SPKI format is to have Issuer and Subject being hashes of 
public keys, Delegate being a Yes/No flag, Authorization being the description 
of what is being authorised and Validity being the validity period. 
Alice forms the s-expression given by 

and then forms the public/private key pair given by 

Sa = sQfj where = Hi{a). 

Alice then gives the private key to Bob. 

For Bob to now use this resource he needs to demonstrate 

— He knows the private key corresponding to M^^^, i.e. he is Bob. 

— He knows the private key corresponding to Q^^, i.e. Alice has given him the 
authorisation. 

To demonstrate the two facts he can either produce a signature or engage in a 
challenge-response protocol using the two corresponding private keys. 

Now consider the case where the Delegate field is set to Yes. In this case 
Bob is allowed to delegate some, or all, of his authorisation from Alice to a third 
party, say Charlie. In this case Bob himself needs to act as a trust authority and 
so must have a standard public/ private key pair 

/^Bob = tP. 

Bob can then create a delegation 

r = McjjapiiellDelegate' II Author ization' ||Validity' 

in the same way as Alice did. To use the resource Charlie needs to present both 
a and r, and needs to prove 



— He knows the private key corresponding to -^Chairliej ^® Charlie. 

— He knows the private key corresponding to Qt, i e. Bob has given him the 
authorisation. 

But how is Alice's original authorisation a going to be authenticated? First Alice 
should use Bob's key jRBob within the s-expression for cr, where we interpret this 
as saying only the key Hgob allowed to delegate. Finally Bob needs to pass 
onto Charlie some information which proves that Alice gave him authorisation 
by revealing the value of to him. This last task is accomplished in one of two 
ways: 

— As in the last section by Bob publishing 

The advantage of this method is that Alice could also produce this informa- 
tion for Charlie, however the disadvantage is the relatively large bandwidth 
considerations. 

— Bob could sign, using the private key Sa^ and the earlier identifier based 
signature scheme, the message given by Qr • 

Composition of the delegated authorisations can be accomplished using the stan- 
dard SPKI 5-Tuple reduction rules. Notice that, one can even remove the dele- 
gation field from the s-expressions, since to delegate we require a standard pub- 
lic/private key. We can bind the authorisation to a standard public key when 
delegations are allowed and an identifier based public key when delegations axe 
not allowed. 

5.2 Creating Groups 

We give an example where the use of trust authorities, even at the user level, 
gives a number of added advantages when combined with the identity based 
encryption and signature schemes. Note, this application requires the trust au- 
thorities standard public key to itself be trusted. Hence, the following application 
assumes the existence of some form of certification for the trust authorities public 
keys as we have discussed in the rest of this paper. 

Imagine a city in which there is a city wide local public wireless network. For 
example Bristol University, Hewlett-Packard and a number of other organisations 
plan to roll out such an infrastructure across Bristol in the near future. Suppose 
you arrive in this city for a conference and you are good friends with Alice, who 
lives in this city. You would ideally like Alice to pick you up from the airport, 
but if she is not available then one of Alice's friends you would trust to do this. 
Therefore you broadcast a message over the network when you land saying, "I've 
arrived at the airport! I am completely lost! Could one of Alice's friends pick me 
up?". 

Clearly if this was broadcast in the clear then you would leave yourself open 
for any unscrupulous person to come and try and mug you. Whilst this may not 



be a major problem in a relatively peaceful city, but it may be a problem in 
some cities. The question arises, how can you encrypt to Alice's friends when 
you may not know who they are? 

To overcome this problem consider the situation in which people etre their 
own trust authorities and issue keys to certain subsets of their acquaintances. In 
our example Alice is a trust authority and has a public/ private key given by 

-^Alice = 

She then, when she meets her friends, gives them a public/private key not ac- 
cording to the actual name but simply under the identifier Friend. Such a device 
to create, distribute and accept keys can be embedded into either a PDA or into 
some wearable computer that people in the city use to interact with the wireless 
network. 

In this way our hapless traveller, just arrived for the conference, can encrypt 
a message to all of Alice's friends by using the pair of keys 

^Alice a-n^ Qpriends- 

This encrypted message can then be broadcast to the whole city, knowing that 
only Alice's friends can decrypt it. 

5.3 Addition of Multiple Short Signatures 

Although not an application of identifier based cryptography as such, the fol- 
lowing illustrates another advantage of the short signature scheme based on 
pairings. Suppose we have three users Alice, Bob and Charlie with staoideo-d 
public/ private key pairs given by 

Rj^ = aP, Rb = bP, Rc^ cP. 

Now suppose they wish to all commit to some document by signing it. For 
example the document could be a treaty and the three parties could be heads of 
state, or the document could be a will and the three parties could be the person 
and two witnesses. 

Suppose the document is represented by the string 5. They can then generate 
individual signatures by computing 

VA = aHi{s), 
VB = bHr{sl 
Vc = Cifi(5). 

However, one only needs to store a single signature given by 

V = Va + Vb + Vc. 

Since this can be verified by using the "virtual" public key obtained by computing 

R=^Ra^-Rb + Rc 

Note that in order to guarantee that the signature is unforgeable, one can verify 
that each entity has knowledge of their private keys. 



6 Conclusion 

We have shown how one can create simple certificate chains for identifier based 
cryptosystems using either the short signature system of Boneh, Lynn and 
Shacham or using the identifier based signature scheme of Hess and others. 
We have argued that this is more efficient than using a traditional X.509 based 
solution due not only to bandwidth but also because the code required to pro- 
duce the certificate chains can reuse a lot of the routines needed for the end 
applications of identity based signatures and encryption. Thus code foot print 
will be smaller. 

We have also given a method of certification in a hierarchy of trust authorities 
which can be performed either by entities certifying down the chain of trust or by 
entities certifying up the chain of trust. The advantage of this scheme is that it is 
transparent to the verifying party as to who actually performed the certification. 

Finally we have examined a number of application domains of pairing based 
cryptography, all of which produce advantages over standard public key crypto- 
graphic systems. 
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